wip: etcd: Deploy etcd

2024-07-26 21:11:40 -05:00
69 changed files with 674 additions and 1117 deletions
--- a/argocd/applications/authelia.yaml
+++ b/argocd/applications/authelia.yaml
@@ -11,6 +11,3 @@ spec:
    path: authelia
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
--- a/argocd/applications/firefly-iii.yaml
+++ b/argocd/applications/firefly-iii.yaml
@@ -11,6 +11,3 @@ spec:
    path: firefly-iii
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
--- a/argocd/applications/home-assistant.yaml
+++ b/argocd/applications/home-assistant.yaml
@@ -11,6 +11,3 @@ spec:
    path: home-assistant
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
--- a/argocd/applications/ntfy.yaml
+++ b/argocd/applications/ntfy.yaml
@@ -11,6 +11,3 @@ spec:
    path: ntfy
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
--- a/argocd/applications/paperless-ngx.yaml
+++ b/argocd/applications/paperless-ngx.yaml
@@ -11,6 +11,3 @@ spec:
    path: paperless-ngx
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
--- a/argocd/applications/postgresql.yaml
+++ b/argocd/applications/postgresql.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgresql
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: postgresql
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -94,7 +94,6 @@ identity_providers:
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
-      - https://minio.backups.pyrocufflink.blue/oauth_callback
    - id: step-ca
      description: step-ca
      public: true
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -55,6 +55,3 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
-images:
- name: ghcr.io/authelia/authelia
-  newTag: 4.38.17
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -33,6 +33,11 @@ data:
      key: certificates/tabitha.biz.key
      cert: certificates/tabitha.biz.crt
      bundle: certificates/tabitha.biz.pem
+    - name: dcow-cert
+      namespace: default
+      key: certificates/darkchestofwonders.us.key
+      cert: certificates/darkchestofwonders.us.crt
+      bundle: certificates/darkchestofwonders.us.pem
    - name: chmod777-cert
      namespace: default
      key: certificates/chmod777.sh.key
@@ -66,6 +71,7 @@ rules:
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
+  - dcow-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -71,6 +71,24 @@ spec:
    algorithm: ECDSA
    rotationPolicy: Always

+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dcow-cert
+spec:
+  secretName: dcow-cert
+  dnsNames:
+  - darkchestofwonders.us
+  - '*.darkchestofwonders.us'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -28,18 +28,3 @@ secretGenerator:
  - cloudflare.api-token
  options:
    disableNameSuffixHash: true
-
-patches:
- patch: |
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: cert-manager
-      namespace: cert-manager
-    spec:
-      template:
-        spec:
-          dnsConfig:
-            nameservers:
-            - 172.30.0.1
-          dnsPolicy: None
--- a/etcd/certificate.yaml
+++ b/etcd/certificate.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd
+spec:
+  secretName: etcd-cert
+  dnsNames:
+  - etcd.pyrocufflink.blue
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: dch-ca
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
--- a/etcd/etcd.yaml
+++ b/etcd/etcd.yaml
@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd
+  labels: &labels
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
+spec:
+  type: NodePort
+  selector: *labels
+  ports:
+  - name: etcd
+    port: 2379
+    nodePort: 32379
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: etcd
+  labels: &labels
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
+spec:
+  replicas: 3
+  serviceName: etcd
+  podManagementPolicy: Parallel
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: etcd
+        image: gcr.io/etcd-development/etcd:v3.5.15
+        command:
+        - etcd
+        args:
+        - --name=$(HOSTNAME)
+        - --listen-client-urls=https://0.0.0.0:2379
+        - --advertise-client-urls=https://0.0.0.0:32379
+        - --listen-peer-urls=https://0.0.0.0:2380
+        - --initial-advertise-peer-urls=https://$(POD_IP):2380
+        - --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
+        - --initial-cluster-state=new
+        - --peer-auto-tls
+        - --client-cert-auth
+        - --cert-file=/run/secrets/etcd/certificate/tls.crt
+        - --key-file=/run/secrets/etcd/certificate/tls.key
+        - --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - name: etcd-client
+          containerPort: 2379
+        - name: etcd-peer
+          containerPort: 2380
+        readinessProbe: &probe
+          tcpSocket:
+            port: 2379
+          periodSeconds: 60
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 30
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/dch-ca
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/secrets/etcd/certificate
+          name: cert
+          readOnly: true
+        - mountPath: /var/lib/etcd
+          name: data
+          subPath: data
+      securityContext:
+        fsGroup: 2379
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 2379
+        runAsNonRoot: true
+        runAsUser: 2379
+      volumes:
+      - name: cert
+        secret:
+          secretName: etcd-cert
+          defaultMode: 0440
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels: *labels
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 4G
--- a/etcd/kustomization.yaml
+++ b/etcd/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/part-of: etcd
+
+namespace: etcd
+
+resources:
+- namespace.yaml
+- certificate.yaml
+- etcd.yaml
+- ../dch-root-ca
--- a/etcd/namespace.yaml
+++ b/etcd/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: etcd
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
- ../dch-root-ca
+-  ../dch-root-ca

 configMapGenerator:
 - name: firefly-iii
@@ -53,6 +53,3 @@ patches:
            secret:
              secretName: postgres-client-cert
              defaultMode: 0640
-images:
- name: docker.io/fireflyiii/core
-  newTag: version-6.1.21
--- a/home-assistant/.gitignore
+++ b/home-assistant/.gitignore
@@ -1,2 +1 @@
 mosquitto.passwd
-secrets.yaml.in
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -12,6 +12,7 @@ input_number:
 input_select:
 input_text:
 logbook:
+map:
 media_source:
 mobile_app:
 person:
@@ -75,7 +76,25 @@ light:
  - light.light_6
  - light.light_7

+matrix:
+  homeserver: https://hatch.chat
+  username: '@homeassistant:hatch.chat'
+  password: !secret matrix_password
+  rooms:
+  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
+  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
+  commands:
+  - word: snapshot
+    name: snapshot
+  - word: bunnies
+    name: bunnies
+  - expression: 'lights (?P<scene>.*)'
+    name: lights
+
 notify:
+- platform: matrix
+  name: matrix
+  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
  name: mobile_apps_group
  services:
@@ -102,8 +121,37 @@ sensor:
  max_age:
    hours: 24

+- platform: seventeentrack
+  username: gyrfalcon@ebonfire.com
+  password: !secret seventeentrack_password
+
 template:
 - sensor:
+  - name: 'Thermostat Temperature'
+    device_class: temperature
+    unit_of_measurement: °C
+    state: >-
+      {% if is_state('sensor.season', 'winter') %}
+      {{ states('sensor.living_room_temperature') }}
+      {% else %}
+      {{ states('sensor.bedroom_temperature') }}
+      {% endif %}
+
+  - name: "Tonight's Forecast"
+    device_class: temperature
+    unit_of_measurement: °C
+    state: >-
+      {{ state_attr('weather.kojc_daynight', 'forecast')
+         | rejectattr('is_daytime')
+         | map(attribute='temperature')
+         | first }}
+
+  - name: Cost per Mow
+    device_class: monetary
+    unit_of_measurement: USD
+    state: >-
+      {{  3072.21 / states('counter.mow_count')|int }}
+
  - name: Apc1500 Load
    device_class: power
    unit_of_measurement: W
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -19,7 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
- ../dch-root-ca
+-  ../dch-root-ca

 configMapGenerator:
 - name: home-assistant
@@ -28,9 +28,7 @@ configMapGenerator:
  - event-snapshot.sh
  - groups.yaml
  - restart-diddy-mopidy.sh
-  - restart-kitchen-mqttmarionette.sh
  - shell-command.yaml
-  - ssh_known_hosts
  - rest-command.yaml
  options:
    disableNameSuffixHash: true
@@ -43,10 +41,6 @@ configMapGenerator:
  files:
  - mosquitto.conf

- name: zigbee2mqtt
-  envs:
-  - zigbee2mqtt.env
-
 patches:
 - patch: |-
    apiVersion: apps/v1
@@ -115,16 +109,3 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
-images:
- name: ghcr.io/home-assistant/home-assistant
-  newTag: 2024.10.3
- name: docker.io/rhasspy/wyoming-whisper
-  newTag: 2.2.0
- name: docker.io/rhasspy/wyoming-piper
-  newTag: 1.5.0
- name: docker.io/koenkk/zigbee2mqtt
-  newTag: 1.40.2
- name: docker.io/zwavejs/zwave-js-ui
-  newTag: 9.24.0
- name: docker.io/library/eclipse-mosquitto
-  newTag: 2.0.20
--- a/home-assistant/restart-kitchen-mqttmarionette.sh
+++ b/home-assistant/restart-kitchen-mqttmarionette.sh
@@ -1 +0,0 @@
-ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette
--- a/home-assistant/shell-command.yaml
+++ b/home-assistant/shell-command.yaml
@@ -3,6 +3,3 @@ event_snapshot: >-

 restart_diddy_mopidy: >-
  sh /run/config/restart-diddy-mopidy.sh
-
-restart_kitchen_mqttmarionette: >-
-  sh /run/config/restart-kitchen-mqttmarionette.sh
--- a/home-assistant/ssh_known_hosts
+++ b/home-assistant/ssh_known_hosts
@@ -1,2 +0,0 @@
-diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
-kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7
--- a/home-assistant/whisper.yaml
+++ b/home-assistant/whisper.yaml
@@ -62,17 +62,12 @@ spec:
          runAsUser: 300
          runAsGroup: 300
        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
        - name: whisper-data
          mountPath: /data
          subPath: data
      securityContext:
        fsGroup: 300
      volumes:
-      - name: tmp
-        emptyDir: {}
      - name: whisper-data
        ephemeral:
          volumeClaimTemplate:
--- a/home-assistant/zigbee2mqtt.env
+++ b/home-assistant/zigbee2mqtt.env
@@ -1 +0,0 @@
-ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883
--- a/home-assistant/zigbee2mqtt.yaml
+++ b/home-assistant/zigbee2mqtt.yaml
@@ -61,10 +61,6 @@ spec:
      containers:
      - name: zigbee2mqtt
        image: docker.io/koenkk/zigbee2mqtt:1.33.1
-        envFrom:
-        - configMapRef:
-            name: zigbee2mqtt
-            optional: true
        ports:
        - containerPort: 8080
          name: http
--- a/invoice-ninja/ingress.yaml
+++ b/invoice-ninja/ingress.yaml
@@ -5,11 +5,9 @@ metadata:
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
-  annotations:
-    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
  rules:
-  - host: invoiceninja.pyrocufflink.net
+  - host: invoiceninja.pyrocufflink.blue
    http:
      paths:
      - path: /
@@ -46,17 +44,3 @@ spec:
            name: invoice-ninja
            port:
              name: http
-
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: invoice-ninja-redirect
-  labels:
-    app.kubernetes.io/name: invoice-ninja-redirect
-    app.kubernetes.io/component: invoice-ninja
-  annotations:
-    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
-spec:
-  rules:
-  - host: invoiceninja.pyrocufflink.blue
--- a/invoice-ninja/init.sh
+++ b/invoice-ninja/init.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+cp -r /var/www/app/. /app
+
+# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
+# server, despite the APP_URL setting.
+sed -i \
+    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
+    /app/app/Utils/HtmlEngine.php
+
+chown -R invoiceninja:invoiceninja /app
+
+if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
+    chown -R invoiceninja:invoiceninja /storage
+    chmod -R u=rwx,go= /storage
+fi
--- a/invoice-ninja/invoice-ninja.env
+++ b/invoice-ninja/invoice-ninja.env
@@ -1,5 +1,5 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.net
+APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
+APP_URL=https://invoiceninja.pyrocufflink.blue
 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173

 MAIL_MAILER=smtp
--- a/invoice-ninja/invoice-ninja.yaml
+++ b/invoice-ninja/invoice-ninja.yaml
@@ -54,11 +54,33 @@ spec:
        app.kubernetes.io/component: invoice-ninja
        app.kubernetes.io/part-of: invoice-ninja
    spec:
-      containers:
-      - name: invoice-ninja
+      initContainers:
+      - name: init
        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
        command:
-        - /start.sh
+        - /init.sh
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - CHOWN
+          readOnlyRootFilesystem: true
+          runAsGroup: 0
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /app
+          name: app
+        - mountPath: /init.sh
+          name: init
+          subPath: init.sh
+        - mountPath: /storage
+          name: data
+          subPath: storage
+      containers:
+      - name: invoice-ninja
+        image: *image
        env: &env
        - name: DB_HOST
          value: invoice-ninja-db
@@ -85,19 +107,17 @@ spec:
          <<: *probe
          periodSeconds: 1
          failureThreshold: 60
+        securityContext:
+          readOnlyRootFilesystem: true
        volumeMounts: &mounts
        - mountPath: /run/secrets/invoiceninja
          name: secrets
          readOnly: true
-        - mountPath: /start.sh
-          name: init
-          subPath: start.sh
        - mountPath: /tmp
          name: tmp
          subPath: tmp
-        - mountPath: /var/www/app/public
-          name: data
-          subPath: public
+        - mountPath: /var/www/app
+          name: app
        - mountPath: /var/www/app/public/storage
          name: data
          subPath: storage-public
@@ -136,7 +156,7 @@ spec:
        - mountPath: /var/cache/nginx
          name: nginx-cache
        - mountPath: /var/www/app/public
-          name: data
+          name: app
          subPath: public
          readOnly: true
        - mountPath: /var/www/app/public/storage
@@ -172,8 +192,6 @@ spec:
                  - invoice-ninja-db
      securityContext:
        runAsNonRoot: True
-        fsGroup: 1500
-        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault
      volumes:
--- a/invoice-ninja/kustomization.yaml
+++ b/invoice-ninja/kustomization.yaml
@@ -19,7 +19,7 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
  files:
-  - start.sh
+  - init.sh

 - name: invoice-ninja
  envs:
--- a/invoice-ninja/nginx.conf
+++ b/invoice-ninja/nginx.conf
@@ -37,8 +37,6 @@ http {

        charset utf-8;

-        client_max_body_size 0;
-
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
--- a/invoice-ninja/start.sh
+++ b/invoice-ninja/start.sh
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
-# server, despite the APP_URL setting.
-sed -i \
-    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
-    /var/www/app/app/Utils/HtmlEngine.php
-
-exec /usr/local/bin/docker-entrypoint supervisord
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@@ -1,23 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: ntfy
-
-resources:
- ntfy.yaml
-
-configMapGenerator:
- name: ntfy
-  namespace: ntfy
-  files:
-  - server.yml
-  options:
-    labels:
-      app.kubernetes.io/name: ntfy
-      app.kubernetes.io/component: ntfy
-      app.kubernetes.io/instance: ntfy
-      app.kubernetes.io/part-of: ntfy
-
-images:
- name: docker.io/binwiederhier/ntfy
-  newTag: v2.11.0
--- a/ntfy/ntfy.yaml
+++ b/ntfy/ntfy.yaml
@@ -5,6 +5,25 @@ metadata:
  labels:
    app.kubernetes.io/instance: ntfy

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ntfy
+  namespace: ntfy
+  labels:
+    app.kubernetes.io/name: ntfy
+    app.kubernetes.io/component: ntfy
+    app.kubernetes.io/instance: ntfy
+    app.kubernetes.io/part-of: ntfy
+data:
+  server.yml: |+
+    base-url: https://ntfy.pyrocufflink.net
+    behind-proxy: true
+    listen-http: '[::]:2586'
+    attachment-cache-dir: /var/cache/ntfy/attachments
+    attachment-file-size-limit: 100M
+
 ---
 apiVersion: v1
 kind: Service
@@ -110,7 +129,7 @@ spec:
  ingressClassName: nginx
  rules:
  - host: ntfy.pyrocufflink.blue
-    http: &http
+    http:
      paths:
      - path: /
        pathType: Prefix
@@ -119,9 +138,6 @@ spec:
            name: ntfy
            port:
              name: http
-  - host: ntfy.pyrocufflink.net
-    http: *http
  tls:
  - hosts:
    - ntfy.pyrocufflink.blue
-    - ntfy.pyrocufflink.net
--- a/ntfy/server.yml
+++ b/ntfy/server.yml
@@ -1,6 +0,0 @@
-base-url: https://ntfy.pyrocufflink.net
-behind-proxy: true
-listen-http: '[::]:2586'
-attachment-cache-dir: /var/cache/ntfy/attachments
-attachment-file-size-limit: 100M
-enable-metrics: true
--- a/paperless-ngx/gotenberg.yaml
+++ b/paperless-ngx/gotenberg.yaml
@@ -1,69 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: gotenberg
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: gotenberg
-    port: 3000
-  selector:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gotenberg
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: gotenberg
-      app.kubernetes.io/component: gotenberg
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: gotenberg
-        app.kubernetes.io/component: gotenberg
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: gotenberg
-        image: docker.io/gotenberg/gotenberg:7.5.4
-        imagePullPolicy: IfNotPresent
-        command:
-        - gotenberg
-        - --chromium-disable-javascript=true
-        - --chromium-allow-list=file:///tmp/.*
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1001
-          runAsGroup: 1001
-        volumeMounts:
-        - mountPath: /home/gotenberg
-          name: tmp
-          subPath: home
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
-      securityContext:
-        fsGroup: 1001
-      volumes:
-      - name: tmp
-        emptyDir:
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -1,31 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

-namespace: paperless-ngx
-
-labels:
- pairs:
-    app.kubernetes.io/instance: paperless-ngx
-
 resources:
- namespace.yaml
- redis.yaml
- gotenberg.yaml
- tika.yaml
 - paperless-ngx.yaml
 - ingress.yaml

-configMapGenerator:
- name: paperless-cmd
-  files:
-  - paperless_cmd.sh
-  options:
-    labels:
-      app.kubernetes.io/name: paperless_cmd.sh
-      app.kubernetes.io/component: paperless-ngx
-      app.kubernetes.io/part-of: paperless-ngx
-    disableNameSuffixHash: true
-
 patches:
 - target:
    kind: StatefulSet
@@ -43,10 +22,3 @@ patches:
            - name: PAPERLESS_URL
              value: https://paperless.pyrocufflink.blue

-images:
- name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.12.1
- name: docker.io/gotenberg/gotenberg
-  newTag: 8.12.0
- name: docker.io/apache/tika
-  newTag: 2.9.2.1
--- a/paperless-ngx/namespace.yaml
+++ b/paperless-ngx/namespace.yaml
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: paperless-ngx
--- a/paperless-ngx/paperless-ngx.yaml
+++ b/paperless-ngx/paperless-ngx.yaml
@@ -1,4 +1,29 @@
 apiVersion: v1
+kind: Namespace
+metadata:
+  name: paperless-ngx
+  labels:
+    app.kubernetes.io/instance: paperless-ngx
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: paperless-cmd
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: paperless_cmd.sh
+    app.kubernetes.io/component: paperless-ngx
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+data:
+  paperless_cmd.sh: |+
+    #!/bin/sh
+
+    exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
+
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: paperless-ngx
@@ -15,6 +40,27 @@ spec:
    requests:
      storage: 20Gi

+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: redis
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
 ---
 apiVersion: v1
 kind: Service
@@ -36,6 +82,113 @@ spec:
    app.kubernetes.io/instance: paperless-ngx
  type: ClusterIP

+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: gotenberg
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: gotenberg
+    port: 3000
+  selector:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: tika
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: tika
+    port: 9998
+  selector:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  serviceName: redis
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/component: redis
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/library/redis:7
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: redis
+          containerPort: 6379
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: data
+          mountPath: /data
+          subPath: data
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/part-of: paperless-ngx
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi
+
+
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -146,3 +299,91 @@ spec:
      - name: run
        emptyDir:
          medium: Memory
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotenberg
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gotenberg
+      app.kubernetes.io/component: gotenberg
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gotenberg
+        app.kubernetes.io/component: gotenberg
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: gotenberg
+        image: docker.io/gotenberg/gotenberg:7.5.4
+        imagePullPolicy: IfNotPresent
+        command:
+        - gotenberg
+        - --chromium-disable-javascript=true
+        - --chromium-allow-list=file:///tmp/.*
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tika
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tika
+      app.kubernetes.io/component: tika
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tika
+        app.kubernetes.io/component: tika
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: tika
+        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
--- a/paperless-ngx/paperless_cmd.sh
+++ b/paperless-ngx/paperless_cmd.sh
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
-
--- a/paperless-ngx/redis.yaml
+++ b/paperless-ngx/redis.yaml
@@ -1,83 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: redis
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: redis
-    port: 6379
-  selector:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: redis
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  serviceName: redis
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: redis
-      app.kubernetes.io/component: redis
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: redis
-        image: docker.io/library/redis:7
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: redis
-          containerPort: 6379
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: data
-          mountPath: /data
-          subPath: data
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: data
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/part-of: paperless-ngx
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
--- a/paperless-ngx/tika.yaml
+++ b/paperless-ngx/tika.yaml
@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: tika
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: tika
-    port: 9998
-  selector:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tika
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: tika
-      app.kubernetes.io/component: tika
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: tika
-        app.kubernetes.io/component: tika
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: tika
-        image: docker.io/apache/tika:2.5.0
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
--- a/restic-exporter/kustomization.yaml
+++ b/restic-exporter/kustomization.yaml
@@ -12,7 +12,6 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
- ../dch-root-ca

 configMapGenerator:
 - name: restic-exporter
@@ -30,19 +29,8 @@ patches:
        spec:
          containers:
          - name: restic-exporter
-            env:
-            - name: RESTIC_CACERT
-              value: /run/dch-ca/dch-root-ca.crt
            envFrom:
            - secretRef:
                name: restic-s3
            - configMapRef:
                name: restic-exporter
-            volumeMounts:
-            - mountPath: /run/dch-ca
-              name: dch-ca
-              readOnly: true
-          volumes:
-          - name: dch-ca
-            configMap:
-              name: dch-root-ca
--- a/restic-exporter/network-policy.yaml
+++ b/restic-exporter/network-policy.yaml
@@ -21,9 +21,9 @@ spec:
      protocol: TCP
  - to:
    - ipBlock:
-        cidr: 172.30.0.15/32
+        cidr: 172.30.0.30/32
    ports:
-    - port: 443
+    - port: 9000
  ingress:
  - from:
    - namespaceSelector:
--- a/restic-exporter/restic-exporter.env
+++ b/restic-exporter/restic-exporter.env
@@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
+RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600
--- a/restic-exporter/secrets.yaml
+++ b/restic-exporter/secrets.yaml
@@ -31,8 +31,8 @@ metadata:
    app.kubernetes.io/part-of: restic-exporter
 spec:
  encryptedData:
-    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
-    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
+    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
+    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
  template:
    metadata:
      name: restic-s3
--- a/sshca/jenkins.yaml
+++ b/sshca/jenkins.yaml
@@ -1,30 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins
-  namespace: sshca
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    resourceNames:
-    - sshca
-    verbs:
-    - get
-    - patch
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins
-  namespace: sshca
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins
-subjects:
- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs
--- a/sshca/secrets.yaml
+++ b/sshca/secrets.yaml
@@ -63,11 +63,12 @@ metadata:
  namespace: sshca
 spec:
  encryptedData:
-    machine-ids.json: AgDFZAXMsprTHrj9LTtwsnuUfTeetde+40R7xbPapgZ1an0FWOqHySQrSxhqpXZ3OBBoln4Nk1uM16J0YxATo233uBxUvcTZ9npwDiX9yZNSj43I81vJUFua1rBovnSSYDDo1cdgICmnbAyiT4yElOde9/lHAuKoJllZz+M/kHx9ZD/6VfkRDIGQZkjjLZvGNPIOEMqHprt4JrgG7Is3j3+aAewHHgMa+wEX8pW/M2kLTL+8Eiz7d4BvHZPd2fuW8P4NqSk3V2J9t6e5gt3/8HMl5adHNWN/bEOksQsFa9UWeYE9qKOC8T5z8ad8I/BNkZn1AN7KzAbZWCgT4Dd/reC5UrpnrCU9YLmYjKaa0LvpgVPe2D39R6En1B9kQVW7TzSdCE5/ussRrJbONA29hOgonhY8rx2sOJ8j/1w/Gcu10hllQuJkNiomWzcyrgb2tkKKXSNVRbRLBXqtef8mEsp6tTKRTOxK5QjWJvMgfPWNl5WDgw9RlbF0J6LN6TwveElCfn2J+ioJNxGjXbyBDhVy1HSdAqsviOUVajFxU/We0m9RAz8d6C3XehQTDzQhPifUT6dTMEdvuBcdKy0ck8ZAdyHh2CQJEaPK28Me/KUubOd0fWkw4gllZkPi0Ew2trvAjCMLfpaCnHVK06T/5H+TUxQfUMwv0QoAJbW+jSNs8zmLg/wFTJJDHvTkLEbsJRr11rVH41m+b51vn3/MYQtctgor7B2iUQfScjdmHWbg13ypSpaI9KOwRQqfp3+eIhGZQPfKC/LDmHWjLT5zaB/9ipXi48YPpsMThYGET4o6VlJOhOEpN+COG7y9iXbqQVP+yLYjiUoiiBx21pY26z8APqY5sHQ2/HfP/BCYD4ruU4ANJP1/NtI4k8u3vigmWP8E8fCPoSJ0isFNWqjkBqPCMOizwGEUhkasjPx5814fDsZVmM4N6gLhtrpl18LV2zQXdurTB1KpgIPGGrUggwKqIAediDz32L2UgUFH0ELXlju05fxMeJwFDXpQXAxHZ+j/8G63kmMjbZDnmwdEM2pnr7JRZAPl/xiFy24Q+Xs43hXnwh3s8HIUYHjAfdrEVs461lkapnzSPwU94UD8Kh4PzIKRF9Tfou6PTQCuviDxOZd+MYbbeATAL05S6DyJ2ovKgighhwFZ8lXkBi7DWq2WJ9HQEfFezT4CvOXF+rsqsMMed9CJy7/tvuPhrtdehz6ZAca0cfn9rkhU2Xgn13jjk6++GGdXIQJdc+hd1/49OK/n8ozvDYKWnC3M5d9hGSir2lXbFgZl7ufJSKoiFjemsOQ1vY39WZcNDGonCq40MXi/iW/+hARfInn30p5znndLAEKZczCYdkpQt8EDRL8HOvZPDdFdr7s4sy9fLLtjGtVGltl6xCrJvXwSG7VijUfG78pj6Z0lQNxub/KYt8H/DY0WzJvPinp6JQyJeDGl/i15f/avVJvh0zGAHbZuGbC2dJSzrTFIWb8jKLzpcLWNRKMxSHZuZuBP0z6jgh2WKbfvagqszO3l9Qp4GlLs+1elp1cbDO7hVCMti35gvqqVYknyoKj3Z7elPKeZQ8AnpyxiVns1VKTavI4vX1GALnyYXKROJd8LvrEsf4k1cwAw0VMw0SlQNpU55iW3M2Ut1mqm1pHHKQ==
+    machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK
  template:
    metadata:
      name: sshca-data
      namespace: sshca
+
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
--- a/step-ca/ingress.yaml
+++ b/step-ca/ingress.yaml
@@ -1,25 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: step-ca
-  labels:
-    app.kubernetes.io/name: step-ca
-    app.kubernetes.io/component: step-ca
-    app.kubernetes.io/part-of: step-ca
-  annotations:
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: ca.pyrocufflink.blue
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: step-ca
-            port:
-              name: step-ca
--- a/step-ca/kustomization.yaml
+++ b/step-ca/kustomization.yaml
@@ -21,18 +21,3 @@ configMapGenerator:
  files:
  - root_ca.crt
  - intermediate_ca.crt
-
-patches:
- patch: |
-    apiVersion: apps/v1
-    kind: StatefulSet
-    metadata:
-      name: step-ca
-      namespace: step-ca
-    spec:
-      template:
-        spec:
-          dnsConfig:
-            nameservers:
-            - 172.30.0.1
-          dnsPolicy: None
--- a/storage/.gitignore
+++ b/storage/.gitignore
@@ -1 +0,0 @@
-minio-backups-credentials.in.yaml
--- a/storage/minio-backups-credentials.yaml
+++ b/storage/minio-backups-credentials.yaml
@@ -1,17 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: minio-backups-credentials
-  namespace: longhorn-system
-spec:
-  encryptedData:
-    AWS_ACCESS_KEY_ID: AgAldMdcn4+SlYCqSKtXDB530WOUBU7HTp/9n4/aPKnsRW4BnXtxlub37i3MTTcavSG2MsoDem+tU+B1hZ6YdawDXmXt1xKqrfoF2bhJCV7iGHD7rGqORK4EKhwphRPG37a6IH7T01Pz7od3ThIv5luOOrd8ttTIhT4mBGlI1i2EWfYT8UnsEyAblSA3t0KStTVrKzwl7x+SDqaxZJ/kBFfk82ceO5KPbgns5cqJhlRMeZWdl32m0mx1QOn091rtoGsIEXG6CB3mtLdpVbbXdFo8gOtG/c/sG6SaOw1MnPlqin4zkVx9pbTHUD8iaykgiBan1klGj8Y/9PLBg9Hpk1Szc757kbW2BPYJeTkVuA5SrTe9FGdfkR5djDJx8QYTgqJirWhj/KhJQ7uOcJcvWnquTO/nqGK+vKcH8rs4cYSfnxbEx/P0/bQp7JyT3ehT7txKyTzpLXC4AlL1VIp33gOOlY+sQjFrqSR5aS6Y+dkAMTup8enVJDL9x33C3xM7JHHs5/X+O6zXbxJxYhGQmk4EgqySo6hrOXOJ2pJ2cc1CU/WK2lzQEpAn9ZBm8pYmQZNeZsCpMf3IRAVKpu8eZOLQeekgiv+C77Yzq2mKBEt6eYnI0C6TgiyKDZeCeHP1j3GRqEwO7DMy/QRUILOf+L+bBJ34QOqjFqZQd/HB053aPm3pw06i7oThcjrv1Gtfc/wHNxT2zC+A6X+Ixu6I1ryzQK1Efg==
-    AWS_CERT: AgCl5sY+yThW58Vnxk/XEBOQy9DDyoVPVvWnxsu4oL5M78g/J0+WaCTq3yadGE0+OnmgF/Iq6Smj/yONMkvvOe77x9aT5bS9VUR1JLo7CawX+b0HlytU9w5j5wSFb8EQ3rC/2AABCUfZAsavM/vUZRzPoX1h9FxmQWweFOVLySFXJbSHPxiNJ69Wk5MiuGpab+XMaU9saCMEvIC0mZ02Sw+73xMVt2nqi77JxR6SncjjjYHJHaJMOIlOtfUyKnsrDlxYaHaP9OQmFfnXEQgfsmAx1zbZFtsMhEfr9FVlNzEJ5kqOzX8OH1n58Rkmfad3XfRAAwgzpR9lAsDZVNhYBFNfzTFaQ0mlZ2xhyHIhzMZfOzUrAfVeoS42BWghdMwsgNj7+boiGyl0A9LcxekvmrDmKrwYgjzpYw1J8vml6OlN+8EKI+0IkDa9d6y3fKB9t5m1BbdsEXfapcglCFxTTKeo597BI2zn4KHxuhQyG/MU2YNrdoftUDibscJlXXbEmg/4qZEr4vDtvETzA5JsPPeCK3R43kIOqBffu2c3SVZCE/bBxY3OodSmsLIlwqolRJexlIbhZ6YG4UGZk/y08XBpB4227+SPtWrFBYD50pxbaB2ApR0wPyUgI8ARaRhouLkAds4kkkQ01rpZ4KD7c5aiT9LTk6BhulVI1dLuoKlxl/fL9zNOwh/b6lou1jGX/VRVulwATY8kfGJcDAzUJpq4ps88Yqu3T4qz1WrlG8bsTV58fDTp/wm5Z67wipwtAhvLySn6g5e7u1graEQAOa45DXb/znarVAHkWl06hXSOBF4yXvC8pdJJgzvxXdCD0kVCR2zTRs0g8hBNt8e1spVzU8FAAZMM0fPvLl0OaF+v4WQE45CM5p93OCsZKRVce0wcCNL+c/zVJmLqGdmKwModYpMFwT/zUsj352TIjLOLe96z+cj/iOaHL1+YHtI1gJvXx2reaOv4bfORQ/znI8SvCOqkB1paq1ZOf3j0g5FQm+CUqFbSxTO7qU/0SB+xz3gURfEpCXiCf5N14WUnHe40SbrnI/h3yiA4aZP0rYoprvvQRPY2uC54FHZgDqdzdwYdrM64bz2hu40kUXxZxIXY9iwQPEBbyHxCEsgFRfDTleAal8terh/9p/NQue6hvTSoP0hgIWvUc/XMaFFlbxQps2aSBmuReNH37eWRxink1bqk4X09AP+53uR2R645+ttt/uR5MBK7cGOdDDSau7eV+0eNcJ3npCnsvW/btwFJaGpqHlEqs/eCobE3v7cg19wYe0bwsdQ8d8YIZXIAvvcTOIcBUvBN+4+2FWSJYB2fG+vgEXN6NOgpeHYqQ0rRDo+BHYSTu8T7cgF8ytuc8oNdF8jhgAQRCfRZiYgbdePySoFq1432828wuTwk6W16For/plyoMIWdaxcR7fR5jnS+HffDRNgHLNVGaoHwWsQ3jCfNjrLyPoAA/wmihHir9/nSpn1qUj4Q58Wwok7VCFrr1LisSJl7/gkVhltL62CaSS+fEtXhQdrrlRfqDvjzjyeHvnm6dh2LQK+gNMvoySP0G6atBxzFFwhQWsC1Ic35Ff2fRzJH0TgOvuBsgD3bjw==
-    AWS_ENDPOINTS: AgBLYIgZp/KFxBG16tQmF2sMQuZOpU4hrdEFMFThFUoXGx8IA1wJvayFEwelA1K8h1z8NTwnotS5M6VmKdLzVc+fUM6S+4DUukDgMvO99qtFa4xd+0hoz0nkCLySgWm3NqC+RzukQIC6tqp5RHCMFhhr3wxsPxckJdUmA4MDIlcI7/gHVNkrKoKBsjuIVq1h0gkr3KJUOUShMTjffBMNPTHLyy2dm2nQ+dF74GAZZqYKsWk3hV3V5bPOKi5J8Q5vifA8r0my2JRjEqg7kndvITUfgOguneyhqB8jc4olWAojeQ30oBYucM+ddsXgyaNbrVy8iZoceEjiNhzfLnuJXKhjJStenK2X7ZNGTaZqEx4qpRI35tDD6Iuhbo+fttcjoH96oChDnagTq8+bD1Qo/Kn3T6PESorVIN9GTwuyfOP7BjO32fMCEnIaIySybL+CCShlRDEiVIkRwy01hEQZabpjwwOH015wrt+7V7A+x2I3PhoXL2E71/SIWiAk4BWU0gWhp7z4/FdH6LRMB6qIr7u7/PH6aRo4DWEQWWRASUeS6Im+0TGiSnQnVMNchxI+oZAYVWV/f/zDTq2G2yjqvqymUqgY7H+6G+hiZbM1kAPK4A440mgmBhcsgWOBv6vri/8JGMWDQkRYiX63jroNBR2EZFXg4ypYh7FMQXc3G+vBz3f2VwN+UYOB8aHJHwAlnYAo6fZjnWg4J+pr3vef6AMqMRuQPHF2ZhLX9ioTwIFymGQNaxY=
-    AWS_SECRET_ACCESS_KEY: AgCe7F3hSmolBOLyh/98v9sl/hmCgSq2U1X40F/LPHjZmSGlvExNv62yuw8fMU/aQnJwG8xvC0gLcBKyc8UljzsAXTa5+XI5S6e2AMP/q3NTe0JmaLN8/aBJbj+P78k7I79nyQxwT+vgGJ+0TgtVJCMHLAhQtJhijCcZ6tMVozkbqQClHhKXx3FWVEGICJlAe5N6sGuZBqf65//MYwK59QkEqEtVm9+P/9BYk8VS6gdtMnH9HVt1axSJ4JvjZXYIxMdGmyGHd7V7xLIDPQo12dAOnRI4w4TtZqtjt736g6MKSjSpiQ4s5H2Ojt8yxONnYEy4JajKeWhhsABu6YKpRXJy/VrZeJbcvqFl7+0DRYeUU0/wtKW5qbtusLoaqOUhEDs2sz7O/dGWbIB6r0MPWjrllGu2i4pHl4et+GpB+/N3xZ+M6wQNcKGiVAEJPQlPtTQem5lbdByOQYrpDuJUs2n6u2A8eAFoJIn1/Sr5ZFS5Pu2znh3c2Zat9O1Z7N/HbC7EofHnL6zpZRS5LJZxx2mFI9ssmkpzqLdqwPCFyXvCrBfiDa/0a4NQRwMDnG6HmyyEI6wVzYWpl2ZOHiI5wVAlHVBho/QwTmLfrb7mC8apMVEmDiHawyTFp8Ze5IQ1BiPmR2jtpfnri2oWu1FDmGvzQXwbI7hBhmasz7l5CpIKcTcQEf4P9k2ODEpQa+5fr/RlqQrXiITksH9mSUsMGXCGz/ATzsv5ZyV7zHk3Y4+mxHd904kbEdE9
-    VIRTUAL_HOSTED_STYLE: AgA3k1kkLajEaw59NpJXs8UctwKUEIG2vJ6Mq/SZ3bMxLHy4hsDhNijy2EbMSpjYMnARd9f4hnopYrQLOW0EkhKwcfzR3zpKEZoaLLEo2itdfZkgmGqU27SVR4bnJM3+mZYDFuCVTVnr4spXkoCOIYmJZOSGKELr8h/VY0dUruzapP/410O2DIM2n/8BnwT4dSXDNuBMSAe0NBiXUjSI4Be715G8SQfKxhZCrXJ5x4Nvwudq45a5VAcVZoJgfvyOPL3LkUsvAzon3tKoGwzOdkwPOY+SQclVHyg3C2CYyp9P2B6XvIb9FOE4C0F0tAF/H/oRznJefIKydkJiZ0mWKqzYuQXVbZaTkJzBDkjEv4BPsUYVE24iao0D8OXijJnz5NKZ7nagE9ucHyTGCX0HPahD8/wdjtRC5Tqj5Kk8XwIJx2Wv4OpTl9eRLWxCuGRoQBkhnRTB0jhHSvciiVP5q/PEN6cHnz6TrVJLFwJmplATlKpe4nImZHICK0c6jnUaPYQ9KlFB6U10npdKAM0Gm/hN1lOBiBomckOcv0cSef896URDs7C/0xC/+3ghi8Aji/dZ/zRCf77YUn/8QWqzIv/tomkzjIjhrzPdOJeLefxqeUx+u+/AAL+cv4VGtIkn5Gc5felf9A5SDWroD8cjm9ZyWXA3teeVU8Uatep3llwf71ROBYpSXS5h+6TWhDDKiYgpqao0
-  template:
-    metadata:
-      name: minio-backups-credentials
-      namespace: longhorn-system
--- a/updatebot/.gitignore
+++ b/updatebot/.gitignore
@@ -1,2 +0,0 @@
-gitea.token
-sshkey
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@@ -1,98 +0,0 @@
-repo:
-  url: https://git.pyrocufflink.net/infra/kubernetes
-  token_file: /run/secrets/updatebot/gitea.token
-
-projects:
- name: home-assistant
-  kind: kustomize
-  images:
-  - name: home-assistant
-    image: ghcr.io/home-assistant/home-assistant
-    source:
-      kind: github
-      organization: home-assistant
-      repo: core
-  - name: whisper
-    image: docker.io/rhasspy/wyoming-whisper
-    source:
-      kind: docker
-      namespace: rhasspy
-      repository: wyoming-whisper
-  - name: piper
-    image: docker.io/rhasspy/wyoming-piper
-    source:
-      kind: docker
-      namespace: rhasspy
-      repository: wyoming-piper
-  - name: zigbee2mqtt
-    image: docker.io/koenkk/zigbee2mqtt
-    source:
-      kind: github
-      organization: Koenkk
-      repo: zigbee2mqtt
-  - name: zwavejs2mqtt
-    image: docker.io/zwavejs/zwave-js-ui
-    source:
-      kind: github
-      organization: zwave-js
-      repo: zwave-js-ui
-  - name: mosquitto
-    image: docker.io/library/eclipse-mosquitto
-    source:
-      kind: docker
-      namespace: library
-      repository: eclipse-mosquitto
-
- name: firefly-iii
-  kind: kustomize
-  images:
-  - name: firefly-iii
-    image: docker.io/fireflyiii/core
-    tag_format: version-{version}
-    source:
-      kind: github
-      organization: firefly-iii
-      repo: firefly-iii
-
- name: paperless-ngx
-  kind: kustomize
-  images:
-  - name: paperless-ngx
-    image: ghcr.io/paperless-ngx/paperless-ngx
-    source:
-      kind: github
-      organization: paperless-ngx
-      repo: paperless-ngx
-  - name: gotenberg
-    image: docker.io/gotenberg/gotenberg
-    source:
-      kind: github
-      organization: gotenberg
-      repo: gotenberg
-  - name: tika
-    image: docker.io/apache/tika
-    source:
-      kind: docker
-      namespace: apache
-      repository: tika
-
- name: ntfy
-  kind: kustomize
-  images:
-  - name: ntfy
-    image: docker.io/binwiederhier/ntfy
-    tag_format: v{version}
-    source:
-      kind: github
-      organization: binwiederhier
-      repo: ntfy
-
- name: authelia
-  kind: kustomize
-  images:
-  - name: authelia
-    image: ghcr.io/authelia/authelia
-    source:
-      kind: github
-      organization: authelia
-      repo: authelia
--- a/updatebot/kustomization.yaml
+++ b/updatebot/kustomization.yaml
@@ -1,34 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: updatebot
-
-labels:
- pairs:
-    app.kubernetes.io/component: updatebot
-    app.kubernetes.io/instance: updatebot
-    app.kubernetes.io/part-of: updatebot
-  includeTemplates: true
-
-resources:
- namespace.yaml
- rbac.yaml
- updatebot.yaml
- secrets.yaml
-
-configMapGenerator:
- name: updatebot-projects
-  files:
-  - config.yml
-  options:
-    disableNameSuffixHash: true
-    labels:
-      app.kubernetes.io/name: updatebot-projects
-
- name: ssh-known-hosts
-  files:
-  - ssh_known_hosts
-  options:
-    disableNameSuffixHash: true
-    labels:
-      app.kubernetes.io/name: ssh-known-hosts
--- a/updatebot/namespace.yaml
+++ b/updatebot/namespace.yaml
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
--- a/updatebot/rbac.yaml
+++ b/updatebot/rbac.yaml
@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
-rules:
- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - patch
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: updatebot
-subjects:
- kind: ServiceAccount
-  name: updatebot
--- a/updatebot/secrets.yaml
+++ b/updatebot/secrets.yaml
@@ -1,34 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: updatebot-ssh
-  namespace: updatebot
-  labels: &labels
-    app.kubernetes.io/name: updatebot-ssh
-spec:
-  encryptedData:
-    id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
-    id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
-  template:
-    metadata:
-      name: updatebot-ssh
-      namespace: updatebot
-      labels: *labels
-
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: updatebot
-  namespace: updatebot
-  labels: &labels
-    app.kubernetes.io/name: updatebot
-spec:
-  encryptedData:
-    gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
-  template:
-    metadata:
-      name: updatebot
-      namespace: updatebot
-      labels: *labels
--- a/updatebot/ssh_known_hosts
+++ b/updatebot/ssh_known_hosts
@@ -1,3 +0,0 @@
-git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
-git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
-git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
--- a/updatebot/sshkey.pub
+++ b/updatebot/sshkey.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot
--- a/updatebot/updatebot.yaml
+++ b/updatebot/updatebot.yaml
@@ -1,78 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: updatebot
-  labels: &labels
-    app.kubernetes.io/name: updatebot
-spec:
-  schedule: 32 6 * * 6
-  timeZone: America/Chicago
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        metadata:
-          labels: *labels
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: updatebot
-            image: git.pyrocufflink.net/infra/updatebot
-            imagePullPolicy: Always
-            securityContext:
-              readOnlyRootFilesystem: true
-            volumeMounts:
-            - mountPath: /etc/ssh/ssh_known_hosts
-              name: ssh-known-hosts
-              readOnly: true
-              subPath: ssh_known_hosts
-            - mountPath: /home/bot/.config/updatebot
-              name: updatebot-config
-              readOnly: true
-            - mountPath: /home/bot/.ssh
-              name: updatebot-ssh
-              readOnly: true
-            - mountPath: /run/secrets/updatebot
-              name: updatebot-secrets
-              readOnly: true
-            - mountPath: /tmp
-              name: tmp
-              subPath: tmp
-            - mountPath: /usr/bin/diff
-              name: diff
-              readOnly: true
-            - mountPath: /usr/bin/kubectl
-              name: kubectl
-              readOnly: true
-          nodeSelector:
-            kubernetes.io/arch: amd64
-          securityContext:
-            runAsNonRoot: true
-            fsGroup: 25167
-          serviceAccountName: updatebot
-          volumes:
-          - name: diff
-            hostPath:
-              path: /usr/bin/diff
-              type: File
-          - name: kubectl
-            hostPath:
-              path: /usr/bin/kubectl
-              type: File
-          - name: ssh-known-hosts
-            configMap:
-              name: ssh-known-hosts
-          - name: tmp
-            emptyDir:
-              medium: Memory
-          - name: updatebot-config
-            configMap:
-              name: updatebot-projects
-          - name: updatebot-secrets
-            secret:
-              secretName: updatebot
-              defaultMode: 0640
-          - name: updatebot-ssh
-            secret:
-              secretName: updatebot-ssh
-              defaultMode: 0640
--- a/victoria-metrics/alertmanager.config.yml
+++ b/victoria-metrics/alertmanager.config.yml
@@ -11,21 +11,12 @@ receivers:
 - name: ntfy
  webhook_configs:
  - url: http://alertmanager-ntfy:8000/hook
- name: none

 route:
  group_by:
  - '...'
  receiver: ntfy
  routes:
-  - receiver: none
-    matchers:
-    - alertname=Battery Low
-  - receiver: ntfy
-    matchers:
-    - alertname=DiskUsage
-    group_by:
-    - instance
  - receiver: ntfy
    matchers:
    - alertgroup=Frigate
--- a/victoria-metrics/alerts.yml
+++ b/victoria-metrics/alerts.yml
@@ -41,6 +41,58 @@ groups:
  - alert: mdraid failed disk
    expr: collectd_md_md_disks{type="failed"} != 0

+- name: BURP
+  rules:
+  - alert: no recent backups
+    expr: absent(burp_client_last_backup_timestamp)
+    for: 8h
+    annotations:
+      summary: No clients have been backed up recently
+      description: >-
+        This alert indicates that NO clients have been backed up within the
+        last day.  There is likely a problem with the BURP server.
+  - alert: missed client backup
+    expr:
+      time() - (burp_client_last_backup_timestamp > now() - 86400 * 90) > 86400 * 2
+    for: 3h
+    annotations:
+      summary: A client has not backed up today
+      description: >-
+        A client has not been backed up for more than a day.  This may be
+        because the client is offline, or because the backup process has
+        failed.  Clients that have not been backed up for more than 90 days
+        will not trigger this alert.
+  - alert: disks need swapped
+    expr:
+      time() - tlast_change_over_time(
+        (
+          collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"}
+          or last_over_time(collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"})[1d]
+        )[90d]
+      ) > 86400 * 30
+    annotations:
+      summary: The disks in the BURP array need swapped
+      description: >-
+        The disks in the BURP RAID-1 (mirror) array should be swapped
+        periodically. One disk should be online and mounted while the other
+        is stored in the fireproof safe.  Switching them ensures that even if
+        something happens to the active disk, such as hardware failure, power
+        surge, fire, or accidental `rm -rf`, the offline disk is only out of
+        date by a few weeks.
+  - alert: disk needs archived
+    expr:
+      sum(
+        collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type=~"missing|spare"}
+      ) < 1
+    annotations:
+      summary: One of the disks in the BURP array should be archived
+      description: >-
+        The disks in the BURP RAID-1 (mirror) array should be swapped
+        periodically.  One disk should be online and mounted while the other
+        is stored in the fireproof safe.  All of the disks are currently
+        online; one needs to be disconnected and moved to the safe as soon as
+        possible.
+
 - name: certificates
  rules:
  - alert: certificate will expire soon
@@ -68,48 +120,18 @@ groups:
  rules:
  - alert: Frigate is Unavailable
    expr:
-      absent(frigate_service_info)
-      or irate(frigate_service_last_updated_timestamp) < 1
-      or irate(frigate_service_uptime_seconds) < 1
+      homeassistant_entity_available{entity=~".*frigate_(server|status)"} != 1
    for: 10m
  - alert: Camera unavailable
    expr:
      homeassistant_entity_available{domain="camera"} != 1
    for: 10m

- name: Home Assistant
+- name: Sensors
  rules:
  - alert: Battery Low
    expr:
      homeassistant_sensor_battery_percent{entity!~"sensor\\.(pixel_|sm_p610).*"} < 10
-    annotations:
-      summary: >-
-        Low battery: {{ $labels.friendly_name }}
-      severity: minor
-  - alert: Z-Wave Network is Offline
-    expr:
-      sum(
-        homeassistant_entity_available{entity="sensor.usb_controller_status"}
-      ) without (
-        friendly_name
-      ) < 1
-    annotations:
-      summary: The Z-Wave network controller is offline
-      description: >-
-        Home Assistant is not able to communicate with ZWaveJS, or ZWaveJS is
-        not able to connect to the Z-Wave USB controller.  Z-Wave devices like
-        light switches, door sensors, and smart plugs will not work until the
-        Z-Wave network is operational again.
-  - alert: Zigbee Network is Offline
-    expr:
-      homeassistant_binary_sensor_state{entity="binary_sensor.zigbee2mqtt_bridge_connection_state"} == 0
-    annotations:
-      summary: The Zigbee network bridge is offline
-      description: >-
-        Home Assistant is not able to communicate with Zigbee2MQTT, or
-        Zigbee2MQTT is not able to connect to the Z-Wave USB controller.
-        Zigbee devices like smart bulbs and buttons will not work until the
-        Zigbee network is operational again.

 - name: PostgreSQL
  rules:
@@ -119,24 +141,6 @@ groups:
      - ignoring (instance) group_right (scope) (patroni_xlog_replayed_location != 0)
      > 10240
    for: 10m
-  - alert: WAL archive process failed
-    expr: >-
-      pg_stat_archiver_failed_count > 0
-    annotations:
-      summary: The archiver process failed for one or more WAL segments
-      description: >-
-        Check the WAL segment archiver configuration and confirm that WAL
-        segments are being backed up correctly.
-  - alert: No recent WAL archives
-    expr: >-
-      pg_stat_archiver_last_archive_age > 3600
-    annotations:
-      summary: The last successful WAL segment backup was over 1h ago
-      description: >-
-        The WAL archiver process has not run successfully for over an hour.
-        Ensure the WAL backup process is configured correctly and the backup
-        target is online and healthy.
-

 - name: Temperature
  rules:
@@ -144,84 +148,3 @@ groups:
    expr: >-
      {__name__=~"collectd_.*_temperature", sensors!~"i350bb.*"} > 80
    for: 10m
-
- name: Longhorn
-  rules:
-  - alert: Degraded Volumes
-    expr: >-
-      count(longhorn_volume_robustness==2) > 0
-    for: 1h
-  - alert: Faulted Volumes
-    expr: >-
-      count(longhorn_volume_robustness==3) > 0
-    for: 5m
-
- name: Restic
-  rules:
-  - alert: Repository Check Failed
-    expr: >-
-      min(restic_check_success) by (job) < 1
-    annotations:
-      summary: Errors found in restic repository data
-      description: >-
-        The Restic repository has one or more problems that may result in data
-        loss.  Check the restic-exporter log for more information and correct
-        the issue as soon as possible.
-  - alert: Last Backup Age
-    expr: >-
-      time() - restic_backup_timestamp > 604800
-    annotations:
-      summary: A Restic client has not backed up recently
-      description: >-
-        Clients are scheduled to back up every day, but at least one has not
-        been backed up in at least 7 days.  Check the Restic configuration on
-        that system to ensure backups are running properly.
-  - alert: No File Changes
-    expr: >-
-      max_over_time(
-        abs(
-          delta(
-            sum(restic_backup_size_total{
-              client_hostname!="pxe0.pyrocufflink.blue",
-              client_hostname!="web0.pyrocufflink.blue",
-            })
-              by (client_hostname, client_username)
-          )
-        )[7d]
-      ) == 0
-    annotations:
-      summary: The size of the Restic backup has not changed
-      description: >-
-        The size of the Restic backup for a particular client has not changed
-        in at least 7 days.  This may indicate that the backup configuration
-        is incorrect.
-
- name: Paperless-ngx
-  rules:
-  - alert: Celery tasks failed
-    expr: >-
-      max_over_time(
-        increase(
-          flower_events_total{job="paperless-ngx", type="task-failed"}
-        )[24h]
-      ) > 0
-    annotations:
-      summary: Paperless-ngx Celery task failed
-      description: >-
-        Failing Celery tasks may indicate a problem with the Paperless-ngx
-        deployment and can result in data loss.  Check the Paperless-ngx logs
-        for details about the task failures.
-  - alert: Paperless email task not running
-    expr: >-
-      absent(
-        flower_events_total{
-          type="task-started",
-          task="paperless_mail.tasks.process_mail_accounts"
-        }
-      )
-    annotations:
-      summary: Paperless task to process mail accounts has not run recently
-      description: >-
-        Paperless-ngx uses a scheduled Celery task to periodically poll email
-        mailboxes for new messages.  If this task does not start, new email
-        messages will not be downloaded and imported into the document library.
--- a/victoria-metrics/blackbox.yml
+++ b/victoria-metrics/blackbox.yml
@@ -10,7 +10,7 @@ modules:
    timeout: 2s
  dns_recursive:
    dns:
-      query_name: github.com
+      query_name: news.ycombinator.com
      query_type: A
    prober: dns
    timeout: 5s
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@@ -34,7 +34,10 @@ scrape_configs:
    - icmp
  static_configs:
  - targets:
-    - 23.29.47.1
+    - github.com
+    - cloudflare.com
+    - amazonaws.com
+    - azure.com
  relabel_configs:
  - source_labels: [__address__]
    target_label: __param_target
@@ -57,9 +60,11 @@ scrape_configs:
    - http://pyrocufflink.net/
    - http://ebonfire.com/
    - http://chmod777.sh/
+    - https://hatch.chat/_matrix/client/versions
    - https://nextcloud.pyrocufflink.net/
    - https://bitwarden.pyrocufflink.blue/
    - https://git.pyrocufflink.blue/
+    - https://jenkins.pyrocufflink.blue/login
    - https://tabitha.biz/
    - https://dustinandtabitha.com/
    - https://hatchlearningcenter.org/
@@ -76,9 +81,13 @@ scrape_configs:
  static_configs:
  - targets:
    - gw1.pyrocufflink.blue
+    - loki0.pyrocufflink.blue
    - nut0.pyrocufflink.blue
    - nvr2.pyrocufflink.blue
-    - unifi3.pyrocufflink.blue
+    - serial1.pyrocufflink.blue
+    - unifi2.pyrocufflink.blue
+    - vmhost0.pyrocufflink.blue
+    - vmhost1.pyrocufflink.blue
  file_sd_configs:
  - files:
    - /scrape/collectd/scrape-collectd.yml
@@ -194,6 +203,23 @@ scrape_configs:
  - targets:
    - git.pyrocufflink.blue

+- job_name: synapse
+  metrics_path: /_synapse/metrics
+  static_configs:
+  - targets:
+    - matrix0.pyrocufflink.blue
+  relabel_configs:
+  - source_labels: [__address__]
+    target_label: instance
+  - source_labels: [__address__]
+    target_label: __address__
+    replacement: '$1:9000'
+
+- job_name: unifi
+  static_configs:
+  - targets:
+    - unifi.pyrocufflink.blue:9130
+
 - job_name: jenkins
  metrics_path: /prometheus/
  scheme: https
@@ -201,6 +227,20 @@ scrape_configs:
  - targets:
    - jenkins.pyrocufflink.blue

+- job_name: burp
+  scrape_interval: 270s
+  scrape_timeout: 30s
+  static_configs:
+  - targets:
+    - burp.pyrocufflink.blue:9645
+
+- job_name: minio-backups
+  metrics_path: /minio/v2/metrics/cluster
+  scheme: https
+  static_configs:
+  - targets:
+    - burp.pyrocufflink.blue:9000
+
 - job_name: kubernetes
  scheme: https
  tls_config:
@@ -250,8 +290,11 @@ scrape_configs:
  metrics_path: /bridge?selector=zincati
  static_configs:
  - targets:
+    - loki0.pyrocufflink.blue
    - nut0.pyrocufflink.blue
-    - unifi3.pyrocufflink.blue
+    - nvr2.pyrocufflink.blue
+    - serial1.pyrocufflink.blue
+    - unifi2.pyrocufflink.blue
  kubernetes_sd_configs:
  - role: node
  relabel_configs:
@@ -277,24 +320,18 @@ scrape_configs:
  scheme: https
  tls_config:
    ca_file: /run/dch-ca/dch-root-ca.crt
-  dns_sd_configs:
-  - names:
+  static_configs:
+  - targets:
    - loki.pyrocufflink.blue
-    type: A
-    port: 443
-  relabel_configs:
-  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
-    separator: ':'
-    target_label: __address__
-  - source_labels: [__address__]
-    target_label: instance

 - job_name: promtail
  static_configs:
  - targets:
+    - loki0.pyrocufflink.blue
    - nut0.pyrocufflink.blue
    - nvr2.pyrocufflink.blue
-    - unifi3.pyrocufflink.blue
+    - serial1.pyrocufflink.blue
+    - unifi2.pyrocufflink.blue
  kubernetes_sd_configs:
  - role: pod
    namespaces:
@@ -419,17 +456,6 @@ scrape_configs:
    target_label: __address__
    replacement: '$1:9187'

- job_name: wal-g
-  static_configs:
-  - targets:
-    - db0.pyrocufflink.blue
-  relabel_configs:
-  - source_labels: [__address__]
-    target_label: instance
-  - source_labels: [__address__]
-    target_label: __address__
-    replacement: '$1:9102'
-
 - job_name: rabbitmq
  kubernetes_sd_configs:
  - role: pod
@@ -447,41 +473,3 @@ scrape_configs:
  - source_labels:
    - __meta_kubernetes_pod_name
    target_label: instance
-
- job_name: ntfy
-  kubernetes_sd_configs:
-  - role: pod
-    namespaces:
-      names:
-      - ntfy
-    selectors:
-    - role: pod
-      label: app.kubernetes.io/name=ntfy
-  relabel_configs:
-  - source_labels:
-    - __meta_kubernetes_pod_name
-    target_label: instance
-
- job_name: frigate
-  dns_sd_configs:
-  - names:
-    - frigate.pyrocufflink.blue
-    type: A
-    port: 9100
-  relabel_configs:
-  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
-    separator: ':'
-    target_label: __address__
-  - source_labels: [__address__]
-    target_label: instance
-
- job_name: haproxy
-  static_configs:
-  - targets:
-    - haproxy0.pyrocufflink.blue
-  relabel_configs:
-  - source_labels: [__address__]
-    target_label: instance
-  - source_labels: [__address__]
-    target_label: __address__
-    replacement: '$1:8118'
--- a/websites/darkchestofwonders.us/ingress.yaml
+++ b/websites/darkchestofwonders.us/ingress.yaml
@@ -8,17 +8,10 @@ metadata:
    app.kubernetes.io/component: darkchestofwonders.us
    app.kubernetes.io/part-of: darkchestofwonders.us
  annotations:
-    cert-manager.io/cluster-issuer: zerossl
-    cert-manager.io/private-key-algorithm: ECDSA
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
  ingressClassName: nginx
-  tls:
-  - hosts:
-    - '*.darkchestofwonders.us'
-    - darkchestofwonders.us
-    secretName: dcow-cert
  rules:
  - host: darkchestofwonders.us
    http:
--- a/xactmon/config.toml
+++ b/xactmon/config.toml
@@ -1,25 +1,16 @@
 processor_rules = "/etc/xactmon/rules.toml"

-[[jmap]]
-name = "default"
+[jmap]
+url = "https://api.fastmail.com"
 token_file = "/run/secrets/xactmon/fastmail.token"

-[[jmap]]
-name = "hlc"
-token_file = "/run/secrets/xactmon/hlc.fastmail.token"
-mailbox_name = "NEW/CommerceBank Alerts"
-
 [amqp]
 url = "amqps://xactmon@rabbitmq.pyrocufflink.blue?auth_mechanism=external"
 clientcert = "/run/secrets/rabbitmq/cert/keystore.p12"
 clientcert_password = "/run/secrets/rabbitmq/password"
 cacert = "/run/dch-ca/dch-root-ca.crt"

-[firefly.default]
+[firefly]
 url = "https://firefly.pyrocufflink.blue"
 token_file = "/run/secrets/xactmon/firefly.token"
 error_if_duplicate_hash = false
-
-[invoiceninja.hlc]
-url = "https://invoiceninja.pyrocufflink.blue"
-token_file = "/run/secrets/xactmon/invoiceninja.token"
--- a/xactmon/secrets.yaml
+++ b/xactmon/secrets.yaml
@@ -29,10 +29,8 @@ metadata:
    app.kubernetes.io/component: xactmon
 spec:
  encryptedData:
-    fastmail.token: AgAv9tf/jBhwvJVQA+B0U/je6Pb+rzaCRLdq/KXYO3dOOnGx7Hc8vCnGvSFlM7jlDLxXBWtny4cjFJwj0QkI/YwVzpMzYP2FXJ6GPui1BzL7pTSwHx/9wyYxPzy/TXSY+R77g6fqSscSh8LsA12JxrgbpHXq6UHkzjbPYSv2hYFxHyD2fWIPlzApoMLlvGFtywsn6iDwtJNL+wLL7vaI3zgdA+ahQ06wNsOJUxMPyQNcj0EciVRbLoQz9dBw2I4yXUOYWPONs13VD5YjpzQU7LkzbZjHicU+jwEhb8fCdrTEspGzNS6+6cn406vZzei41WZlvA48S1XR0hRjt+DEQJB4cn7Sl9POl9dtxo9CLp7/j3KAqWPCT6EB+Dcx+3r2e59gC8gF99yPOvVULyEndYWKkuj6wohh4QneZ1kFHANGjzNMiygRAIW5OxFUgENaxL5isXcSJc9DqwhJQ1Re176hAtFKxkp/nJYpw54oXU7ZWCV6T95caCqRisJbS7c25sFQk+kEqYrr6Baza//zlDn4mN4S3NGlsqrCpl4PaFi9VAyHVwn2kR5TEGn5TEr9cxKeGFH7AlAKyG/MA0h1mCVYB/+fBqLnAYkHdFh5cIvHPNzJuc4jllLK3bwXITrkKFhvObuQzXQRp591vyduki2JJWrRgMt/WwQrC11wwqfGYZ6JP3dLqrRRRWFDTW8ap2j4YhH/hNqLezSR0jLTlyllb2edDAYYj9XFARW7Pdu68tY97fEJ8tuXS43MnmBV3ma5iBnKl+A94PdIE1D+SkBYRFbnlDUoNTgOTWDnW6lij6E=
-    firefly.token: AgBr9HzzALDzRwn0deyJnx4ohoP6aioC1CWmV+gt0TcY4b7C6DMHosfxo5UK90QV8H01sYJQZS4448ZssftkobHnY8sSuuglLyfHHeAuj2drEbmEeaiCIHKM5oftezeN0LvPF7v/Hwp1QfqE+MJiUMQ9Dhz/Mbuh54yKIx+YHviIsZxfwjp8a8Ocus//UeJyQBpNvkloMRtTlrZDqA2KBWqZI59kjIOITYeXXZUijCiOG+s+4eBcFCf/CsMy5fLABedGaxWt4mzo28TlozvhBl0D0NwiMPvMR19j9033QTYMEb2jq04ocsdSpNW3epE9y++dQbh2JpYIWp+l9cMw0TjrenBkTas3fc5vMRsHOqyYOnubZyboDvLLXOA6DkVRUVlyNVTw9cgBVVcnOCtfRFFcyVFmop17VvESkzEOV7p+g5yron4Goc5BrAPTmKtRlXbu22AEC4sFuDYCwqc/rh8oO+5XKa+q109OR1S/5fzZ+ggJhZM6ODYMLWCgBInjBy7urxlwLFJRM+P26tAnq/wK0DNK6Vjb46c/Ah+tn8S9W/VcyVAzuQ2HOb6tIE8ug3biu757U2mny4wH7hAbEFxiRbeCpnervO//Nz0WUyeSrV7HgIRMx74Bn0fqMwZX66TOWkeWJrDPOWheFNutYV0JTN7e51jkFjBZ6SiBC4mrGkHMC+DigI1e9TAg4OFTKBw/R/GepfEoaRukoWPhze3SZzN71L/p1AJ9rLLKgVKmKylSzRZxO64iEpFIW8g1CcwQwbv5wPkgsLqGx9PIWvUTBVtQsHZqnTsI4P0XyPqijKsDM5aSP8o9u4I+N4D/odjbtx37tOm1a861l0fDdByTxRfzT1WAOVhwzREfmggtT9lOdwlB+H2jTrIeXZ/S4GZWY+HAN9A4ZbYBrWtcS6ShNywgU89vDR0Ak3Cs86YxjowJYjA4r/bl41asOK8GWuJiH1AwBQPolNoUwW2MkwqTWHRE1+o6pFR8l17dNTDS9JR2KmPyUvi5ubQd6patboosEHf0oMa+KNKywkTP6BB3Hb0Vpsc2udkim1tVlV7AndHndjTdYX5+HxA+pleMxKGkOUgkzfhnxflSt3RjNa+WO6bQWaLvSH+Pl3IsRdtT6H1zW77pUrfE2QVV8ChvWAxuY8R19/qt40Hjq6v3lW7CTnJQM+zYthSL7ovWEkBi1bN95FQNt8wTawFnA2wYcMLvJRyE8d1Sgv1blpY36DJEZRnzAnWZVuRVXwufubQ0ResEd6JZxu+vU2IZzUweV5j/74opEBk62bIYqk41kebk6+fv1kQxnm3wdK/rh0ENXttZPsvW/PkC1aHCBswV3BT7Lh8kxLUT0eGqQvzYAjp5rk5uLy+lvDJC5IR/jZUUDooUkTu/xxTQL8PBePfwnP7SLB6oi4Ikoy3zT1CpbgoOXZypYJiIycKJP0OTl0YCEoU30x0MRkNM9ao3Crv7Dyvpoy+lzs8INxEki9LYb+6oB6snyd9hbgY9PktcHpe8DzoTw2AEY0008VxdtjlApaEEyc1ID965pJjEMYElqS76+x+R1BviKhZ0ewCs+WIalD/8QXOtdRAWK109wGpGo147qmDH40TcCJ48kqhFj5SmnTXPUBY67hrLOw/ewp5kmu1fQmVvCh4+BdZnhejLn2SuXEBEY9ZiReOja1UuYjEYPcs8w+qJM8zI8tVF/f8vHiDBq8yCVJAMgoQltzlWzZ+Dau/6GBMaeR5nuVurTGmjDd1kka7eHaoFB6OEaVFLoR9NBeHT9If5nPxCA+fiev5YhxCVAiLiUuYnVtEaQ/Ih0Y2ntvXpMa1vK5vUXne3rE6JRQ7WX7cu/rTwCwe4K9WHzHmpwpeCKa3o4OYnQSsUDx70xg+xCM8kaN76LW08Y2f4Pgx1qSsysyRmERe6fabr0yvCDHnrtnQDCjYtiwmRJ+/jbOOB8Ih7AuMVfSBa807nu6KNfr48Zm1hnvmLFBVmjRc7LlM2bcabGasak6kI8ODeY0YFbJM=
-    hlc.fastmail.token: AgCVWELi/+cm/52Mi7dCnL20nOHPWrwum8Ia0L9cjujgJBFUuuVSkRHcpmPC/864kOb0ElGXu0QjvbTriD8qaDs30zl21MB1OCMluemttj5J5pMfrKtjjmyZPgHs/LPV/7y0Wj2zRiVwb0LgNWlJDGN6VKmSeVgmgFlX4Ri28XVgodS6zCHUdzu4vUnra0lBP1IJ7rDbMa/ODUA5YbsbAvTdRcIH/gG5KE39pp1JjPuGbM5pQJQ5CqVdEUZlsymE7TghBjxXlcZDD4ZkjN11M5J0MSoW7do3m9yWBrMUt1DDX3h3l2RenTg1D994dwf4D5J419en0YACXZcgIYAGvoFHPkLXzHtu6SPwvTZ6SVgEaejyPHfLug9Tbdye2qRFj78Am6q72ZTHEAbh9QrUFm8zE8Owb7XzGU5YEpvaZxbPwSj8ca2zJ7s6ottcxuH6e1KuqFXZowaUAX6ITnTuzoB5TCT0Nshqv+wiP1vrgpxewHii10KNZ5vciovjz/pwq1y4ktQyWvsryg3uyShI28A7l6Fi0psFHsc06zo86HoA5EhBiY4LRHAKOswS1dUftAAL/JRa7Ra/uLJx15Mso8L/F1T3EDhHUl5Klg/pQwkkAq7Rv1UOQerVZiP0VnfQ2Rpolj10uEWj1ouhoXWMa+wNBFze4nnRLtuPFTj1hSVpo2OMM+B7j7X+Yw59yP7oiay+N5Pppuftxlh/snfkNlVYpFlFAtd6i8gGwMkCt5hPZzv47ZvZWUVVuDb6YsffDQyejZYHeevHDbOJAGBqmINUD11qXPf0OhFt5d7ZEQleFms=
-    invoiceninja.token: AgBH1Ec9CKBGCz4SwMLsovglx56g+MlYchkSQtSqlmLZvDm+tfXBilYk+ZBjpXa6dinPRW50SZ0HK+422OqRFfO55JFq/Tanltwb+yLKoak3rlnOpFgWoA7YFMl3Mzk7H46BTr0deiyJSRzia4KUla1SxL7uBkND41+9IqjH5DNTmtXOz320uvHzg0cLGAKyU5zAxa/YLDHNZNybgoaBcOQRlfNaWQcZJNLGh13tQYKt01+InJ4wWwaEp4FqmfOq/LUZWJDobYU0hlDI02vVKA7B9VwWge4/EZOW5HKoeACVtpozCS3rgqKM55ddv/4Da7EKTzCqyS+Ax6+3KNMDma27wXw/ci/wSTaRUOnaqnBlxUjeVWkHoZXBFBqGLxmI7aXLmER7/llqZDobj2NzdqVQCeW8Gyno3q3AtW6DggKBBVsj/H4+TWodmGj2Y/UhsftDm2XCqEIUL9RgIHrRuwjRuU+fM/Pm/xsb08tDD3c1zFAFPHSMdQ53jQOtaY062E7x5a264XohzY1P5lSL2ypTI12S3sKJJdylBFwAT5gGJXk8boSFdEXqMeyk98NR8pi5RC6782ERJlnJ0Mw13uP0Fmj29pKIJK0bSSYJtRk/Hr6ShhbbaB5BvtvHVAGSz6k7oD33sCnJvd2fPFlKyp41HCBWHAOPo3rCfMzkMDgxQr2voqua13HlY7WtLXGft762rAXIguzR2rvpDzPs1bnkJZLhU4Cow5R9m1U4MU81i556lrcxJl1DTOXt78koT87TDaEzipINgk/G/jb7g8GW
+    fastmail.token: AgB7GUTJ4QqkLDUy2DePEb3OLtKNik6xw46oe2WA0HC37CEG02KREFK4vJFcbUAwkqpGO51FYWq1JmvKxzIse9265N98Dl1D0w9AVLKBBuSAT915DK6W8ya9zVLgYlPBnhlBZzwRjwSN3i5dREbvIGtmnZseZYgXCWuE1JRGbd/HXDOnPSq98rM/XtDUZ+p8x40LpC1rYAVmTHrDoLOHM1Gyt6X6jR6jifWtmOXoPFE4VDdidaIhmHa7mJoboHuaH+8QSlCrwqw6aG5EVJ1GzKbCaWiVjSgGFLVJjHJRJHUQTa48vlDhMlPOgSQ5ur2VMuBaw+9FpjVukL4pT/GCNAAXpotkx/EQg3iVJsboC3D5Xt5P92KbJpZrzH8EHZg5mLNz7rUOcj4Q5LHdECmlrOsLLXAWtc2u0eTo/28V8ZaZZgORWCbsHom8ziaS2txMQP3S2uUIH7g67kRLuD91nw/n3sCaxrJtDsHnvvLkanCdooPPzyMRrVqu0OP4nbzWeCoziI8JLjp++RZ56Ztzik9PtpqHnJERedShH/GXD0P5B7oTPf1qbv3Z3w4N/ujXSmIxK0RvwBDqgzfzyRHQkzxq4EK4Y98KKEjQHM5bgD3lreuIw+mSvBS4qoZGse4LkCMNOdcm0qDGeVnhbE54a36USqpPte1dxyvrL61vaT7HZDTVV0ib8c/YJ3sYz8jrt9By7cXtjyVWD0j+m2Jb22ZrqvnwpW5mgC3O+C2maRTuaZd8s8E2Qr0RM4mPUA+jXHP4mBPhGDkO2x378vFUA/u9OPToTDSYl6H9ZaLvyITWhs4=
+    firefly.token: AgCIWvJbsDNlFaEqqCvzyyv2eBAoUzrlNrNjgA/xQvVUe971FdqBiMOBJyErflO3tbKo2B3+Z2zNfbhIX6PEDqUxW8p5cBXSljZBezcFbk0TdmPuHUuKC81aZmKh7m4gSBTjgpdRECLByzrVCI11zYm7VnhGDIwz5aPHCnx8JYFsHUw7KcE7CKqEC9xxOsAIIAygIogZFKcxCDW9uvZ8PjH9iCZkCoag5WXQiFT1OIAF2ikqyqc7mg8TEaZqPIlH2Va7vQxUVElIxaXaTwa7Lli4xi/Atn3WdrvWu5xWXZjlZuCXN9XkjK6+1SyA0a2k6fy1fDZlkuFwosfKEt/Hk6kxuWoJm+YFSnj+PIciLd8LDbxGxQLzTtZtqW2nsYiMB5fB/iS4kunoLkErgGwDhT3cfqLVFfbcYK8vBkrrScTeVuLcvF27HYOS86SPU12MwvoVA6qhg5EvQVG3Jnk6i6NxgEm7noOZZsckXyJaNhQIb0LlhVHcObJ152+hEDkypISBymiU/FcQFZPLsG3TdCJ1dMudX1ijT0puSHt0LPkGSbn7562kcOU6uDPn9VBQBQuhz16FHzJQ6ZtzVREcRIkTQU8tQaj6AzmTkbQBmAITvQfYdPQus1EDXfVT8taoeYglf5cMmq+o0IhB8hDZ+r79lU2AJVjML0sOGeYrsQJorewqoiSSkc8XdXemr9/NbTeQX3eP5xqmN1Sr6ZiSMgapqXR4Kyh1ryLDy49bMwi6mK7g9Ja0iYQ5qoyZDrt7mK5RdHaAZO39Ot0LHwkInOBqpxldKcHQM+RxWDGp0mpHsNRFrxblw+wYfOOVfI9AYXstk+yujdGESiCEUutKioFJ3Knj+k31MwDJVUhuxNZqtPCcSNz5UUg5vznoNbz5U8szoCPzJaBVXixqi1WABZyk+UnRZtGvM9qXetadfRm4Fnmk610D9Ebl6pYU5FNt7+EQtn9Vwo9J0QYJxVi6/NDG5709Rrv156OKY+bridr4RSK953rFNYirrEJRs3D8f11n2nxBOnlnN2XUCmwIrXKVpt753hi0QHgMy11QghVlCBVZYgqI2+LA9OY5rbyxgwx/nv9T8BwvXPLZh+FUc4VOdNE/WwcdLVaRvE5bVrTe9XF61LqLmmnXL0IFpvQJSCZseICAH/joPoVuDVlzlDj2Sk3JVDnke3BSF9m97W3Wleuk/wm6nFIqSQLz5ga9ida0oJyjH56kpuqe6OyQnTc83jqYvB1z0A98FNBORfF12DsTbnLcLrIh2aE0kVZ5NfY7fYXpVkWdwaeR/QeKLLKH/B/TTdd5xwbuLT+d+AGTMbG4neTitmyneF6mu7YFjLj72KlAdB3QiSHSmyjs7PZqVl17kYAkfjkcx6FZ8tzzoQmYgJKhBr7YMIkTAj3tF15/yRvni8CUuBnKpUxW966sjsFYLLNeIDG1yhsc+rKwcwSUuJssWomD9i7a5DfTTmMA0XGZdObwldDTj9TGi5PcFCAhYknOK6x2mLIrrLP3eLgKxPD8uaQdomKJ3kEoriy1liz2gkuxZd9R3MOO2s3Ne9cdG/y0HySx8WCTwF2Bti/UzTXn4jXGhyGRGoVRBFPhkR3Z6PAUzAGmO/+hwWZVqWMCT1M2GLfGe1eAEbEDET88htq7giCzX6z6Shquv4i6Wtwh3PQdIOXa7XxqQFUItdLP1KcT/9o9H52v3UdS59HpmFqr0qv384VWK6y8KBSP/PA/Y+9G7pWB0LXz1p6UNJXEMc/+fnuVmpCxqxftE6VjQZIAXfKMIYehiVhEPKzmoCmDove8gwEB6IAYqCkWomvd4cdehfd+5T0cNgsk0tvwkG+TWiQZmD4bc6dfA4/Xn9ByGlL3mJGWSqSEQiJkdDxE45uI4tw1tXirz2jW4f+S728zMWvCNyPO+Bp7DMsooiXyTZ5q85Pqm8igu2RMdGE2ZyGk4KeStqJQhsY+80FtdrxDnwf1vFUExZZLIONkH3zPgdF+PlLCPROIGryF/m6TXRSZ1bc=
  template:
    metadata:
      name: xactmon
--- a/xactmon/xactmon.yaml
+++ b/xactmon/xactmon.yaml
@@ -22,9 +22,8 @@ spec:
        imagePullPolicy: Always
        args:
        - receiver-jmap
+        - /etc/xactmon/config.toml
        env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
        - name: RUST_LOG
          value: xactmon=trace,info
        - name: TZ
@@ -103,9 +102,8 @@ spec:
        imagePullPolicy: Always
        args:
        - processor
+        - /etc/xactmon/config.toml
        env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
        - name: RUST_LOG
          value: xactmon=trace,info
        - name: TZ
@@ -184,92 +182,8 @@ spec:
        imagePullPolicy: Always
        args:
        - importer-firefly
-        - default
+        - /etc/xactmon/config.toml
        env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
-        - name: RUST_LOG
-          value: xactmon=trace,info
-        - name: TZ
-          value: America/Chicago
-        volumeMounts:
-        - mountPath: /etc/xactmon
-          name: xactmon-config
-          readOnly: true
-        - mountPath: /run/dch-ca
-          name: dch-ca
-          readOnly: true
-        - mountPath: /run/secrets/xactmon
-          name: xactmon-secrets
-          readOnly: true
-        - mountPath: /run/secrets/rabbitmq/password
-          name: rabbitmq-cert-password
-          subPath: password
-          readOnly: true
-        - mountPath: /run/secrets/rabbitmq/cert
-          name: rabbitmq-cert
-          readOnly: true
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
-      imagePullSecrets:
-      - name: imagepull-gitea
-      securityContext:
-        runAsUser: 251
-        runAsGroup: 251
-        fsGroup: 251
-      volumes:
-      - name: dch-ca
-        configMap:
-          name: dch-root-ca
-      - name: rabbitmq-cert
-        secret:
-          secretName: rabbitmq-cert
-          defaultMode: 0440
-      - name: rabbitmq-cert-password
-        secret:
-          secretName: rabbitmq-cert-password
-          defaultMode: 0440
-      - name: tmp
-        emptyDir:
-          medium: Memory
-      - name: xactmon-config
-        configMap:
-          name: xactmon
-      - name: xactmon-secrets
-        secret:
-          secretName: xactmon
-          defaultMode: 0440
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: xactmon-importer-invoiceninja
-  labels:
-    app.kubernetes.io/name: xactmon-importer-invoiceninja
-    app.kubernetes.io/component: importer-invoiceninja
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: xactmon-importer-invoiceninja
-      app.kubernetes.io/component: importer-invoiceninja
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: xactmon-importer-invoiceninja
-        app.kubernetes.io/component: importer-invoiceninja
-    spec:
-      containers:
-      - name: importer-invoiceninja
-        image: git.pyrocufflink.net/packages/xactmon
-        imagePullPolicy: Always
-        args:
-        - importer-invoiceninja
-        - hlc
-        env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
        - name: RUST_LOG
          value: xactmon=trace,info
        - name: TZ
				`@@ -1 +0,0 @@`
				`ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette`
				`@@ -1 +0,0 @@`
				`ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot`